Friday, 6 December 2013

Every time you alter your Oracle APEX applications, whether it be by modifying some code, changing a setting, or adding something new, you could be diminishing your application's security by introducing new vulnerabilities.

Our ApexSec desktop product is a powerful tool for security analysis of Oracle APEX applications. On its own it is capable of providing you with a detailed report of the security of your APEX application in its current state and advising you how to secure it, and with its integrated APEX builder you can make the necessary changes on the spot. This has proven to be invaluable to individuals and businesses attempting to secure their applications in the run up to go-live.

However, when you encounter vulnerabilities that require you to change the logic or functionality of your application, doing so towards the end of development proves to be more difficult (or at least more time consuming) than doing so throughout the development process, and can lead to a major overhaul of your application's design. Being able to keep track of your application's security throughout the entire development process is the key to achieving both security and efficiency.

ApexSec can be run effectively using a Continuous Integration product like Hudson. You can set up a Hudson build to run ApexSec periodically, this could be every hour, every day or every week. The time-frame is up to you. This means that rather than running ApexSec against your applications manually when you see fit, Hudson will do it automatically, and it will paint a very clear picture of how your changes have altered the security of your application using a graph and report.

Example-For a full guide to setting up ApexSec with Hudson click here.

Using our BigBagBlog application we can illustrate how this gives you the ability to strictly monitor how every change, or a collection of changes, affect the security of your application.

Above is the job dashboard screen in Hudson after first running builds using ApexSec. You can see a graph showing the total number of items found (count). You can also see the total number of 'Passed' (secure), 'Failed' (insecure) and 'Skipped' (false positive) items which can be seen in more detail by clicking on 'Latest Test Results'. This means that if you schedule Hudson to run periodically, for example every hour, it will begin to give you feedback regarding the changes to your applications security during that time period.

Now, if we introduce some vulnerabilities in the time between builds you will see something similar to this:

Straight away you can see an increase in the number of failed (insecure) items from the previous Hudson build. This is because ApexSec has detected new vulnerabilities in your application. This means you have done something to create these new vulnerabilities. It's important to bear in mind the time frame can be easily altered by changing the settings of your Hudson build.

From this point there are a few things you can do. You can review the output generated by ApexSec using Hudson by clicking on 'Latest Test Results'. You can also launch ApexSec and open the project file for your application. This will give you full details of the new vulnerabilities and our recommendations for resolving them. Don't forget, all Hudson is doing is continuously running ApexSec against your application, it still creates and updates a standard ApexSec project file, it is just updated more regularly and therefore is a more accurate representation of the current security stance of your application.

- Open your project file with ApexSec for a more detailed description of your new vulnerabilities, including recommendations to resolve them.

Now that you have now been made aware of these new vulnerabilities in your APEX application, you can follow the recommendations provided by ApexSec to resolve these problems as they occur, which is a lot less hassle than trying to do so towards the end of development.

With ApexSec scanning your application periodically using Hudson you end up with a real-time representation of the security of your application and also a plethora of information regarding it's security throughout the entire development process.